News Archives

Sunday, November 29, 2015

Update on the CJEU’s Safe Harbor Decision

As we reach the end of November, an update is in order on the rapid-paced and continuing fall-out from the Court of Justice of the European Union’s October 6 ruling in the Schrems case.  Over the past month or so, the main developments have been as follows: 
  • The EU Parliament LIBE committee issued a press release condemning mass surveillance in the US and in some member states and calling upon the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor (Oct. 13).
  • The Schleswig-Holstein DPA announced that data transfers to the US based upon model contracts should be terminated or suspended (Oct. 14).
  • DPAs in Bemen and Berlin confirmed that they agree with their colleague in Schleswig-Holstein on the unacceptability of model contracts as an alternative to Safe Harbor (Oct.15).
  • The Article 29 Working Party issued a statement calling for a “robust, collective and common position” on implementing Schrems; pledging to review the viability of model contracts and BCRs, while noting that they can in the meantime still be used absent particular circumstances; and warning that it would “take all necessary and appropriate actions, which may include coordinated enforcement actions” if a solution is not found with US authorities by January 31, 2016 (Oct. 16).
  • The Israeli data protection authority (ILITA) revoked its acceptance of Safe Harbor membership as a valid basis for data transfers to the US (Oct. 19).
  • Calling for recognition that privacy is a fundamental human right, the President and Chief Legal Officer of Microsoft proposed four steps to resolve the impasse over trans-Atlantic data transfers (Oct. 20).
  • The US House of Representatives passed the Judicial Redress Act that would extend to foreigners the same rights to judicial redress as US citizens have in law enforcers violate their privacy (Oct. 21).
  • The Swiss DPA announced that data transfers to the US could no longer be based upon the US-Swiss Safe Harbor framework (Oct. 22).
  • The German data protection authorities collectively announced that they would no longer approve new data transfers based upon model contracts or BCRs and would immediately investigate data transfers to the US by large US companies (Oct. 27).
  • The European Union announced that it had struck a deal “in principle” with the US on a new data-sharing agreement to strengthen Safe Harbor, a deal involving greater oversight by the Dept. of Commerce and a review by European officials of access to transferred data by US security and law enforcement agencies (Oct. 27).
  • Oracle revealed that it is now keeping all data regarding European citizens within the EU (Oct. 28).
  • The US Commerce Secretary said that a solution she called “Safe Harbor 2.0” is “totally doable” and will be coming “shortly” (Oct. 29).
  • The EU Parliament re-iterated its concerns about mass surveillance in the US and in Europe, called for a report by the Commission by the end of 2015 and urged member states to grant whistle blower status and protection to Edward Snowden (Oct. 29).
  • Large US companies such as Facebook and Airbnb said that they rely upon transfer mechanisms other than Safe Harbor (Nov. 1).
  • The Spanish DPA (AEPD) announced that it had sent a letter to all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies, given them until January 29, 2016 to inform the authority of what mechanisms for data transfers they were now using (Nov. 3).
  • The Dubai International Financial Centre DPA stated that data controllers needed a legal basis for data transfers to the US other than Safe Harbor (Nov. 5).
  • The European Commission issued a communication about the Schrems decision stating that model contracts and BCRs can still be used while discussions proceed with the US (Nov. 6).
  • Microsoft announced that in conjunction with Deutsche Telekom it will be offering cloud services from Germany and other EU member states that will be beyond the reach of US authorities.  Other cloud vendors such as Amazon, Google and Syncplicity are also ramping up their opening of data centers in Europe (Nov. 11).
  • A group of 40 privacy groups from both Europe and the US said that the proposal for a new data transfer agreement is insufficient to protect privacy and will likely be struck down by regulators and Europe's high court (Nov. 16). 

It is worth noting that no significant developments relevant to Schrems and Safe Harbor have been reported during the last two weeks, the likely reason being the November 13 terrorist attacks in Paris.  Although some believe, or hope, that the attacks are shifting the pendulum from privacy to security, it is difficult to see how they impact or change the current EU-US legal impasse over data transfers.

Meanwhile, the clock continues to click towards the January 31, 2016 deadline, as massive a date in the data protection community as Y2K was a decade and a half ago for society in general.  However, the chances that January 31 will be as much a non-event as Y2K proved to be are very small.  Whether we see a successful conclusion to the Safe Harbor 2.0 negotiations or not, the next few months are going to be memorable and consequential.

Privacy at Risk in Employee Wellness Programs

Employees face significant privacy risks when invited to participate in an employer-sponsored wellness program, according to reports airing in October on CNN and NPR.  The CNN report, prepared by Kaiser Health News, begins with a description of the dilemma encountered by employees of the City of Houston when compelled to participate in a new program or pay an extra $300 per year for health insurance.  It also notes that a web of entities besides wellness provides may receive employee health information, including rewards companies, employers, health insurers, fitness app companies, wearable device makers, medical test labs, fitness centers, advertisers and unidentified third parties and agents.  HIPAA privacy laws generally do not protect information generated via wellness programs.  Uncertainties about who will has access to wellness data and what limitations exist upon their use and further disclosure of that data are also highlighted in the NPR report entitled “7 Questions to Ask your Boss about Wellness Programs.”


The privacy risks involved with increasingly trendy health-related wearables, which are often one of the components of wellness programs, were also underscored during October, when the Consumer Electronics Association (CEA) released its 5-page Guiding Principles on the Privacy and Security ofPersonal Wellness Data.  These voluntary guidelines for private-sector organizations that handle the type of data produced by wearable technologies include recommendations in eight areas: security; policy and practice; concise notice; unaffiliated third party transfers; fairness; personal data review, correction and deletion; advertising communications; and law enforcement response.  In spite of the potential benefits of wearable devices, a variant of long-familiar consumer advice is appropriate:  Wearer Beware.

Weltimmo: Another Landmark CJEU Decision

The stunning character of the Schrems decision overshadowed another major decision of the Court of Justice of the European Union, one that has profound implications for multi-national and Internet companies operating in multiple EU member states.  Ruling in the case of  Weltimmo s.r.o. v NemzetiAdatvédelmi és Információszabadság Hatóság, the CJEU found that a company has an “establishment” in a member state if it exercises a real and effective activity, even if only a minimal one, through stable arrangements, in that state.  Applying this test, the Court found that if Weltimmo, a Slovakian-registered company, had a website targeting the country in the Hungarian language, as well as a legal representative, letter box and bank account all located in Hungary, then it would be established in Hungary and subject to the requirements of Hungarian data protection law.  

The ruling severely undercuts the strategy of companies that have located their European headquarters in member states such as Ireland that are known to be very permissive in their enforcement of data protection law.  Such companies, with Facebook being a leading example, have claimed that the only member state law to which they must adhere is that of the state in which they have their headquarters, regardless of their activities in other member states.  Such an argument would be untenable under the new General Data Protection Regulation; it is now untenable under the old Data Protection Directive as well.

Thursday, November 26, 2015

Sony to Pay Millions to Employees for 2014 Data Hack

A federal judge has given preliminary approval to a settlement reached by Sony Pictures Entertainment and employees who sued over the exposure of their personal information resulting from a hack of the company's computers in 2014.  Even though the US government blamed North Korea for the attack, employees sued on the grounds that Sony had failed to protect their information. Under the terms of the settlement, Sony will pay current and former employees up to $4.5 million to compensate for their losses and up $3.5 million in legal fees.  Individual employees will receive up to $10,000 under the settlement, including up to $1,000 for claims without documentation and an additional two years of ID theft protection. The settlement is expected to be finalized in March 2016.

While employees have sued employers over data breaches for many years now, this is one of the largest awards of compensation on record.  When reviewing their budgets for data security, employers would be well-advised to consider that an ounce of prevention can be worth a pound of cure.